Strongswan site to site (s2s) vpn tunnel between SRX and debian router.
Cloudstack VR details (Left):
public interface - eth2 - 10.147.52.20/24
Guest/LAN interface - eth3 - 10.1.1.1/24
SRX device details (Right)
public interface - fe-0/0/4 - 10.102.196.249/24
Guest interface - fe-0/0/1 - 192.168.2.30/24
VR config details:
---------------------
root@r-242-VM:/etc/ipsec.d# cat ipsec.vpn-10.102.196.249.conf
conn vpn-10.102.196.249
left=10.147.30.119
leftsubnet=10.0.0.0/8
leftnexthop=10.147.30.1
right=10.102.196.249
rightsubnet=192.168.2.0/24
type=tunnel
authby=secret
keyexchange=ikev1
ike=aes128-sha1-modp1024
ikelifetime=86400s
esp=aes128-sha1-modp1024
lifetime=3600s
pfs=yes
keyingtries=2
auto=start
root@r-242-VM:/etc/ipsec.d#
root@r-242-VM:/etc/ipsec.d# cat ipsec.vpn-10.102.196.249.secrets
10.147.30.119 10.102.196.249 : PSK "123"
root@r-242-VM:/etc/ipsec.d#
root@r-242-VM:/etc/ipsec.d# ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 16436 qdisc noqueue state UNKNOWN
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000
link/ether 02:00:0b:ae:00:74 brd ff:ff:ff:ff:ff:ff
inet 10.147.28.114/24 brd 10.147.28.255 scope global eth0
3: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000
link/ether 1e:00:f6:00:00:0f brd ff:ff:ff:ff:ff:ff
inet 10.147.30.119/24 brd 10.147.30.255 scope global eth1
inet 10.147.30.110/24 brd 10.147.30.255 scope global secondary eth1
4: eth2: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000
link/ether 1e:00:49:01:a8:bd brd ff:ff:ff:ff:ff:ff
inet 10.147.52.20/24 brd 10.147.52.255 scope global eth2
5: eth3: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000
link/ether 02:00:65:36:00:14 brd ff:ff:ff:ff:ff:ff
inet 10.1.1.1/24 brd 10.1.1.255 scope global eth3
root@r-242-VM:/etc/ipsec.d#
root@r-242-VM:/etc/ipsec.d# ip route show
default via 10.147.30.1 dev eth1
10.1.1.0/24 dev eth3 proto kernel scope link src 10.1.1.1
10.147.28.0/24 dev eth0 proto kernel scope link src 10.147.28.114
10.147.30.0/24 dev eth1 proto kernel scope link src 10.147.30.119
10.147.52.0/24 dev eth2 proto kernel scope link src 10.147.52.20
10.147.59.0/24 via 10.147.28.1 dev eth0
root@r-242-VM:/etc/ipsec.d#
root@r-242-VM:/etc/ipsec.d# cat /etc/ipsec.conf
# ipsec.conf - strongSwan IPsec configuration file
config setup
nat_traversal=yes
charonstart=yes
plutostart=yes
include /etc/ipsec.d/*.conf
root@r-242-VM:/etc/ipsec.d#
SRX config:
root@SRX-HYD% cat ikev1RouteBased.txt
set version 12.1X46-D30.2
set system host-name SRX-HYD
set system time-zone Asia/Calcutta
set system root-authentication encrypted-password "$1$Upd9DiSK$Kki512FXx6z.2swzlFdoL0"
set system name-server 10.103.128.16
set system login user cloudadmin full-name cloud
set system login user cloudadmin uid 100
set system login user cloudadmin class super-user
set system login user cloudadmin authentication encrypted-password "$1$or4KmtVp$Sj2aKP/LSDRMRi3Aoz1D6/"
set system services ssh
set system services telnet
set system services xnm-clear-text
set system services web-management http interface vlan.0
set system services web-management http interface fe-0/0/0.0
set system services web-management https system-generated-certificate
set system services web-management https interface vlan.0
set system syslog archive size 100k
set system syslog archive files 3
set system syslog user * any emergency
set system syslog file messages any critical
set system syslog file messages authorization info
set system syslog file interactive-commands interactive-commands error
set system syslog file kmd-logs daemon info
set system syslog file kmd-logs match KMD
set system max-configurations-on-flash 5
set system max-configuration-rollbacks 5
set system license autoupdate url https://ae1.juniper.net/junos/key_retrieval
set interfaces fe-0/0/0 description "Management Interface"
set interfaces fe-0/0/0 unit 0 family inet address 10.102.195.249/22
set interfaces fe-0/0/1 description "Guest network"
set interfaces fe-0/0/1 vlan-tagging
set interfaces fe-0/0/1 unit 868 vlan-id 868
set interfaces fe-0/0/1 unit 868 family inet filter input vlan-input-868
set interfaces fe-0/0/1 unit 868 family inet filter output vlan-output-868
set interfaces fe-0/0/1 unit 868 family inet address 192.168.2.30/24
set interfaces fe-0/0/2 unit 0 family ethernet-switching vlan members vlan-trust
set interfaces fe-0/0/3 unit 0 family ethernet-switching vlan members vlan-trust
set interfaces fe-0/0/4 description "Public Network"
set interfaces fe-0/0/4 vlan-tagging
set interfaces fe-0/0/4 unit 100 vlan-id 100
set interfaces fe-0/0/4 unit 100 family inet address 10.102.196.249/24
set interfaces fe-0/0/5 unit 0 family ethernet-switching vlan members vlan-trust
set interfaces fe-0/0/6 unit 0 family ethernet-switching vlan members vlan-trust
set interfaces fe-0/0/7 unit 0 family ethernet-switching vlan members vlan-trust
set interfaces st0 unit 0 family inet
set interfaces st0 unit 1 family inet
set interfaces vlan unit 0
set interfaces vlan unit 100 family inet address 10.102.196.249/24
set routing-options static route 10.102.196.0/24 next-hop 10.102.196.1
set routing-options static route 10.102.196.0/24 install
set routing-options static route 10.102.192.0/22 next-hop 10.102.192.1
set routing-options static route 10.102.192.0/22 install
set routing-options static route 0.0.0.0/0 next-hop 10.102.196.1
set routing-options static route 10.1.1.0/24 next-hop st0.0
set routing-options static route 172.16.1.0/24 next-hop st0.1
set protocols stp
set security ike traceoptions file ike.log
set security ike traceoptions flag all
set security ike proposal Ikecloud description Ikecloud
set security ike proposal Ikecloud authentication-method pre-shared-keys
set security ike proposal Ikecloud dh-group group2
set security ike proposal Ikecloud authentication-algorithm md5
set security ike proposal Ikecloud encryption-algorithm 3des-cbc
set security ike proposal Ikecloud lifetime-seconds 86400
set security ike proposal ike-phase1-proposal authentication-method pre-shared-keys
set security ike proposal ike-phase1-proposal dh-group group2
set security ike proposal ike-phase1-proposal authentication-algorithm sha1
set security ike proposal ike-phase1-proposal encryption-algorithm aes-128-cbc
set security ike proposal d-ike-phase1-proposal authentication-method pre-shared-keys
set security ike proposal d-ike-phase1-proposal dh-group group2
set security ike proposal d-ike-phase1-proposal authentication-algorithm sha1
set security ike proposal d-ike-phase1-proposal encryption-algorithm aes-128-cbc
set security ike policy ike-policy1 mode main
set security ike policy ike-policy1 description ikepolicy
set security ike policy ike-policy1 proposals Ikecloud
set security ike policy ike-policy1 pre-shared-key ascii-text "$9$k.Tzn/CuBI"
set security ike policy deepthi-ike-policy mode main
set security ike policy deepthi-ike-policy proposal-set standard
set security ike policy deepthi-ike-policy pre-shared-key ascii-text "$9$3oyt6tuBIEyev"
set security ike policy ike-phase1-policy mode main
set security ike policy ike-phase1-policy proposals ike-phase1-proposal
set security ike policy ike-phase1-policy pre-shared-key ascii-text "$9$tC5duIESreWX7"
set security ike policy d-ike-phase1-policy mode main
set security ike policy d-ike-phase1-policy proposals d-ike-phase1-proposal
set security ike policy d-ike-phase1-policy pre-shared-key ascii-text "$9$9JEfAO1EcyKWL"
set security ike gateway ike-gate ike-policy ike-policy1
set security ike gateway ike-gate address 10.147.30.20
set security ike gateway ike-gate external-interface fe-0/0/4.100
set security ike gateway ike-gate general-ikeid
set security ike gateway ike-gate version v1-only
set security ike gateway deepthi-ike-gate ike-policy deepthi-ike-policy
set security ike gateway deepthi-ike-gate address 10.147.30.114
set security ike gateway deepthi-ike-gate external-interface fe-0/0/4.100
set security ike gateway deepthi-ike-gate version v1-only
set security ike gateway gw-cp ike-policy ike-phase1-policy
set security ike gateway gw-cp address 10.147.30.119
set security ike gateway gw-cp external-interface fe-0/0/4.100
set security ike gateway gw-cp version v1-only
set security ike gateway gw-newcp ike-policy d-ike-phase1-policy
set security ike gateway gw-newcp address 10.112.110.196
set security ike gateway gw-newcp external-interface fe-0/0/4.100
set security ike gateway gw-newcp version v1-only
set security ipsec traceoptions flag all
set security ipsec proposal Ipseccloud description Ipseccloud
set security ipsec proposal Ipseccloud protocol esp
set security ipsec proposal Ipseccloud authentication-algorithm hmac-md5-96
set security ipsec proposal Ipseccloud encryption-algorithm 3des-cbc
set security ipsec proposal Ipseccloud lifetime-seconds 3600
set security ipsec proposal ipsec-phase2-proposal protocol esp
set security ipsec proposal ipsec-phase2-proposal authentication-algorithm hmac-sha1-96
set security ipsec proposal ipsec-phase2-proposal encryption-algorithm aes-128-cbc
set security ipsec proposal d-ipsec-phase2-proposal protocol esp
set security ipsec proposal d-ipsec-phase2-proposal authentication-algorithm hmac-sha1-96
set security ipsec proposal d-ipsec-phase2-proposal encryption-algorithm aes-128-cbc
set security ipsec policy ipsec-phase2-policy perfect-forward-secrecy keys group2
set security ipsec policy ipsec-phase2-policy proposals ipsec-phase2-proposal
set security ipsec policy d-ipsec-phase2-policy perfect-forward-secrecy keys group2
set security ipsec policy d-ipsec-phase2-policy proposals ipsec-phase2-proposal
set security ipsec policy vpn-policy1 description prashanthpolicy
set security ipsec policy vpn-policy1 proposals Ipseccloud
set security ipsec vpn ike-vpn-cp bind-interface st0.0
set security ipsec vpn ike-vpn-cp ike gateway gw-cp
set security ipsec vpn ike-vpn-cp ike proxy-identity local 192.168.2.0/24
set security ipsec vpn ike-vpn-cp ike proxy-identity remote 10.0.0.0/8
set security ipsec vpn ike-vpn-cp ike ipsec-policy ipsec-phase2-policy
set security ipsec vpn ike-vpn-cp establish-tunnels immediately
set security ipsec vpn ike-vpn-newcp bind-interface st0.1
set security ipsec vpn ike-vpn-newcp ike gateway gw-newcp
set security ipsec vpn ike-vpn-newcp ike proxy-identity local 192.168.2.0/24
set security ipsec vpn ike-vpn-newcp ike proxy-identity remote 10.0.0.0/8
set security ipsec vpn ike-vpn-newcp ike ipsec-policy d-ipsec-phase2-policy
set security ipsec vpn ike-vpn ike gateway ike-gate
set security ipsec vpn ike-vpn ike ipsec-policy vpn-policy1
set security ipsec vpn ike-vpn establish-tunnels immediately
set security address-book book1 address srx 192.168.2.0/24
set security address-book book1 attach zone trust
set security address-book book2 address cp 10.1.1.0/24
set security address-book book2 attach zone vpn-st0
set security address-book book2new address newcp 172.16.1.0/24
set security address-book book2new attach zone vpn-newcp
set security flow tcp-mss ipsec-vpn mss 1350
set security screen ids-option untrust-screen icmp ping-death
set security screen ids-option untrust-screen ip source-route-option
set security screen ids-option untrust-screen ip tear-drop
set security screen ids-option untrust-screen tcp syn-flood alarm-threshold 1024
set security screen ids-option untrust-screen tcp syn-flood attack-threshold 200
set security screen ids-option untrust-screen tcp syn-flood source-threshold 1024
set security screen ids-option untrust-screen tcp syn-flood destination-threshold 2048
set security screen ids-option untrust-screen tcp syn-flood timeout 20
set security screen ids-option untrust-screen tcp land
set security nat source pool 10-102-196-177 address 10.102.196.177/32
set security nat source rule-set nat-out from zone trust
set security nat source rule-set nat-out to zone untrust
set security nat source rule-set nat-out rule interface-nat match source-address 192.168.0.0/16
set security nat source rule-set nat-out rule interface-nat match destination-address 0.0.0.0/0
set security nat source rule-set nat-out rule interface-nat then source-nat off
set security nat destination rule-set untrust from zone untrust
set security nat proxy-arp interface fe-0/0/4.100 address 10.102.196.177/32
set security nat proxy-arp interface fe-0/0/4.100 address 10.102.196.190/32
set security nat proxy-arp interface fe-0/0/4.100 address 10.102.196.191/32
set security policies from-zone untrust to-zone untrust policy accept-all match source-address any
set security policies from-zone untrust to-zone untrust policy accept-all match destination-address any
set security policies from-zone untrust to-zone untrust policy accept-all match application any
set security policies from-zone untrust to-zone untrust policy accept-all then permit
set security policies from-zone trust to-zone trust policy accept-all match source-address any
set security policies from-zone trust to-zone trust policy accept-all match destination-address any
set security policies from-zone trust to-zone trust policy accept-all match application any
set security policies from-zone trust to-zone trust policy accept-all then permit
set security policies from-zone trust to-zone vpn-st0 policy vpn-tr-cp match source-address srx
set security policies from-zone trust to-zone vpn-st0 policy vpn-tr-cp match destination-address cp
set security policies from-zone trust to-zone vpn-st0 policy vpn-tr-cp match application any
set security policies from-zone trust to-zone vpn-st0 policy vpn-tr-cp then permit
set security policies from-zone vpn-st0 to-zone trust policy vpn-cp-tr match source-address cp
set security policies from-zone vpn-st0 to-zone trust policy vpn-cp-tr match destination-address srx
set security policies from-zone vpn-st0 to-zone trust policy vpn-cp-tr match application any
set security policies from-zone vpn-st0 to-zone trust policy vpn-cp-tr then permit
set security policies from-zone trust to-zone vpn-newcp policy vpn-tr-newcp match source-address srx
set security policies from-zone trust to-zone vpn-newcp policy vpn-tr-newcp match destination-address newcp
set security policies from-zone trust to-zone vpn-newcp policy vpn-tr-newcp match application any
set security policies from-zone trust to-zone vpn-newcp policy vpn-tr-newcp then permit
set security policies from-zone vpn-newcp to-zone trust policy vpn-newcp-tr match source-address newcp
set security policies from-zone vpn-newcp to-zone trust policy vpn-newcp-tr match destination-address srx
set security policies from-zone vpn-newcp to-zone trust policy vpn-newcp-tr match application any
set security policies from-zone vpn-newcp to-zone trust policy vpn-newcp-tr then permit
set security zones security-zone trust host-inbound-traffic system-services all
set security zones security-zone trust host-inbound-traffic protocols all
set security zones security-zone trust interfaces vlan.0
set security zones security-zone trust interfaces fe-0/0/0.0
set security zones security-zone trust interfaces fe-0/0/1.868 host-inbound-traffic system-services all
set security zones security-zone trust interfaces fe-0/0/1.868 host-inbound-traffic protocols all
set security zones security-zone untrust host-inbound-traffic system-services all
set security zones security-zone untrust host-inbound-traffic system-services ssh
set security zones security-zone untrust host-inbound-traffic system-services ping
set security zones security-zone untrust host-inbound-traffic protocols all
set security zones security-zone untrust interfaces fe-0/0/4.100 host-inbound-traffic system-services all
set security zones security-zone untrust interfaces fe-0/0/4.100 host-inbound-traffic protocols all
set security zones security-zone untrust interfaces vlan.100 host-inbound-traffic system-services all
set security zones security-zone untrust interfaces vlan.100 host-inbound-traffic protocols all
set security zones security-zone vpn-st0 interfaces st0.0
set security zones security-zone vpn-newcp interfaces st0.1
set firewall filter trust term 10-102-196-177 from source-address 10.0.160.0/20
set firewall filter trust term 10-102-196-177 then count 10-102-196-177
set firewall filter trust term 10-102-196-177 then accept
set firewall filter untrust term 10-102-196-177 from destination-address 10.102.196.177/32
set firewall filter untrust term 10-102-196-177 then count 10-102-196-177
set firewall filter untrust term 10-102-196-177 then accept
set firewall filter untrust term 10-102-196-190-34 from source-address 0.0.0.0/0
set firewall filter untrust term 10-102-196-190-34 from destination-address 10.102.196.190/32
set firewall filter untrust term 10-102-196-190-34 from protocol tcp
set firewall filter untrust term 10-102-196-190-34 from destination-port 1-65525
set firewall filter untrust term 10-102-196-190-34 then count 10-102-196-190-i
set firewall filter untrust term 10-102-196-190-34 then accept
set firewall filter untrust term 10-102-196-191-35 from source-address 0.0.0.0/0
set firewall filter untrust term 10-102-196-191-35 from destination-address 10.102.196.191/32
set firewall filter untrust term 10-102-196-191-35 from protocol tcp
set firewall filter untrust term 10-102-196-191-35 from destination-port 1-65525
set firewall filter untrust term 10-102-196-191-35 then count 10-102-196-191-i
set firewall filter untrust term 10-102-196-191-35 then accept
set firewall filter vlan-output-868 term vlan-output-868 then count vlan-output-868
set firewall filter vlan-output-868 term vlan-output-868 then accept
set firewall filter vlan-input-868 term vlan-input-868 then count vlan-input-868
set firewall filter vlan-input-868 term vlan-input-868 then accept
set vlans vlan-trust vlan-id 3
set vlans vlan-trust l3-interface vlan.0
set vlans vlan100 vlan-id 100
set vlans vlan100 l3-interface vlan.100
root@SRX-HYD%
VR more logs:
--------------------
debian strongswan 4.5.2:
root@r-242-VM:/etc/ipsec.d# iptables -L -nv
Chain INPUT (policy DROP 64 packets, 10413 bytes)
pkts bytes target prot opt in out source destination
368K 50M NETWORK_STATS all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- * * 0.0.0.0/0 224.0.0.18
0 0 ACCEPT all -- * * 0.0.0.0/0 225.0.0.50
2 152 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0
9 1197 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0
315K 39M ACCEPT tcp -- eth0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:3922 state NEW,ESTABLISHED
17503 4953K ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
0 0 ACCEPT udp -- eth3 * 0.0.0.0/0 0.0.0.0/0 udp dpt:67
3 212 ACCEPT udp -- eth3 * 0.0.0.0/0 10.1.1.1 udp dpt:53
0 0 ACCEPT tcp -- eth3 * 0.0.0.0/0 10.1.1.1 tcp dpt:53
0 0 ACCEPT tcp -- eth3 * 0.0.0.0/0 10.1.1.1 state NEW tcp dpt:80
0 0 ACCEPT tcp -- eth3 * 0.0.0.0/0 10.1.1.1 state NEW tcp dpt:8080
0 0 ACCEPT udp -- eth1 * 10.102.196.249 10.147.30.119 udp dpt:500
0 0 ACCEPT udp -- eth1 * 10.102.196.249 10.147.30.119 udp dpt:4500
0 0 ACCEPT esp -- eth1 * 10.102.196.249 10.147.30.119
root@r-242-VM:/etc/ipsec.d# ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 16436 qdisc noqueue state UNKNOWN
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000
link/ether 02:00:0b:ae:00:74 brd ff:ff:ff:ff:ff:ff
inet 10.147.28.114/24 brd 10.147.28.255 scope global eth0
3: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000
link/ether 1e:00:f6:00:00:0f brd ff:ff:ff:ff:ff:ff
inet 10.147.30.119/24 brd 10.147.30.255 scope global eth1
inet 10.147.30.110/24 brd 10.147.30.255 scope global secondary eth1
4: eth2: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000
link/ether 1e:00:49:01:a8:bd brd ff:ff:ff:ff:ff:ff
inet 10.147.52.20/24 brd 10.147.52.255 scope global eth2
5: eth3: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000
link/ether 02:00:65:36:00:14 brd ff:ff:ff:ff:ff:ff
inet 10.1.1.1/24 brd 10.1.1.255 scope global eth3
root@r-242-VM:/etc/ipsec.d#
root@r-242-VM:/etc/ipsec.d# ip route show
default via 10.147.30.1 dev eth1
10.1.1.0/24 dev eth3 proto kernel scope link src 10.1.1.1
10.147.28.0/24 dev eth0 proto kernel scope link src 10.147.28.114
10.147.30.0/24 dev eth1 proto kernel scope link src 10.147.30.119
10.147.52.0/24 dev eth2 proto kernel scope link src 10.147.52.20
10.147.59.0/24 via 10.147.28.1 dev eth0
root@r-242-VM:/etc/ipsec.d#
root@r-242-VM:~# ipsec statusall
000 Status of IKEv1 pluto daemon (strongSwan 4.5.2):
000 interface lo/lo 127.0.0.1:4500
000 interface lo/lo 127.0.0.1:500
000 interface eth0/eth0 10.147.28.114:4500
000 interface eth0/eth0 10.147.28.114:500
000 interface eth1/eth1 10.147.30.119:4500
000 interface eth1/eth1 10.147.30.119:500
000 interface eth1/eth1 10.147.30.110:4500
000 interface eth1/eth1 10.147.30.110:500
000 interface eth2/eth2 10.147.52.20:4500
000 interface eth2/eth2 10.147.52.20:500
000 interface eth3/eth3 10.1.1.1:4500
000 interface eth3/eth3 10.1.1.1:500
000 %myid = '%any'
000 loaded plugins: test-vectors curl ldap aes des sha1 sha2 md5 random x509 pkcs1 pgp dnskey pem openssl gmp hmac xauth attr kernel-netlink resolve
000 debug options: none
000
000 "L2TP-PSK": 172.26.0.151[172.26.0.151]:17/1701---10.147.30.1...%any[%any]:17/%any==={0.0.0.0/0}; unrouted; eroute owner: #0
000 "L2TP-PSK": ike_life: 10800s; ipsec_life: 3600s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 3
000 "L2TP-PSK": policy: PSK+ENCRYPT+TUNNEL+DONTREKEY; prio: 32,0; interface: ;
000 "L2TP-PSK": newest ISAKMP SA: #0; newest IPsec SA: #0;
000 "vpn-10.102.196.249": 10.0.0.0/8===10.147.30.119[10.147.30.119]---10.147.30.1...10.102.196.249[10.102.196.249]===192.168.2.0/24; erouted; eroute owner: #95
000 "vpn-10.102.196.249": ike_life: 86400s; ipsec_life: 3600s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 2
000 "vpn-10.102.196.249": policy: PSK+ENCRYPT+TUNNEL+PFS; prio: 8,24; interface: eth1;
000 "vpn-10.102.196.249": newest ISAKMP SA: #94; newest IPsec SA: #95;
000 "vpn-10.102.196.249": IKE proposal: AES_CBC_128/HMAC_SHA1/MODP_1024
000 "vpn-10.102.196.249": ESP proposal: AES_CBC_128/HMAC_SHA1/<Phase1>
000
000 #95: "vpn-10.102.196.249" STATE_QUICK_R2 (IPsec SA established); EVENT_SA_REPLACE in 3309s; newest IPSEC; eroute owner
000 #95: "vpn-10.102.196.249" esp.a6fe03a@10.102.196.249 (0 bytes) esp.c2eab35c@10.147.30.119 (0 bytes); tunnel
000 #94: "vpn-10.102.196.249" STATE_MAIN_R3 (sent MR3, ISAKMP SA established); EVENT_SA_REPLACE in 28509s; newest ISAKMP
000
Status of IKEv2 charon daemon (strongSwan 4.5.2):
uptime: 16 hours, since May 02 12:17:40 2017
malloc: sbrk 1351680, mmap 0, used 269088, free 1082592
worker threads: 7 idle of 16, job queue load: 0, scheduled events: 0
loaded plugins: test-vectors curl ldap aes des sha1 sha2 md5 random x509 revocation constraints pubkey pkcs1 pgp pem openssl fips-prf gmp agent pkcs11 xcbc hmac ctr ccm gcm attr kernel-netlink resolve socket-raw farp stroke updown eap-identity eap-aka eap-md5 eap-gtc eap-mschapv2 eap-radius eap-tls eap-ttls eap-tnc dhcp led addrblock
Listening IP addresses:
10.147.28.114
10.147.30.119
10.147.30.110
10.147.52.20
10.1.1.1
Connections:
Security Associations:
none
root@r-242-VM:~#
root@r-242-VM:/etc/ipsec.d# tcpdump -i eth1 host 10.102.196.249 -nvvve
tcpdump: listening on eth1, link-type EN10MB (Ethernet), capture size 65535 bytes
04:22:18.681629 f0:b2:e5:81:12:65 > 1e:00:f6:00:00:0f, ethertype IPv4 (0x0800), length 330: (tos 0xc0, ttl 62, id 22958, offset 0, flags [none], proto UDP (17), length 316)
10.102.196.249.500 > 10.147.30.119.500: [udp sum ok] isakmp 1.0 msgid 00000000 cookie 73d5a739cff930b6->0000000000000000: phase 1 I ident:
(sa: doi=ipsec situation=identity
(p: #1 protoid=isakmp transform=1 spi=73d5a739cff930b6
(t: #0 id=ike (type=enc value=aes)(type=keylen value=0080)(type=group desc value=modp1024)(type=hash value=sha1)(type=lifetype value=sec)(type=lifeduration len=4 value=00007080)(type=auth value=preshared))))
(vid: len=16 afcad71368a1f1c96b8696fc77570100)
(vid: len=16 27bab5dc01ea0760ea4e3190ac27c0d0)
(vid: len=16 6105c422e76847e43f9684801292aecd)
(vid: len=16 4485152d18b6bbcd0be8a8469579ddcc)
(vid: len=16 cd60464335df21f87cfdb2fc68b6a448)
(vid: len=16 90cb80913ebb696e086381b5ec427b1f)
(vid: len=16 7d9419a65310ca6f2c179d9215529d56)
(vid: len=16 4a131c81070358455c5728f20e95452f)
(vid: len=28 699369228741c6d4ca094c93e242c9de19e7b7c60000000500000500)
04:22:18.681838 1e:00:f6:00:00:0f > f0:b2:e5:81:12:65, ethertype IPv4 (0x0800), length 202: (tos 0x0, ttl 64, id 48685, offset 0, flags [DF], proto UDP (17), length 188)
10.147.30.119.500 > 10.102.196.249.500: [bad udp cksum 0xf922 -> 0xc064!] isakmp 1.0 msgid 00000000 cookie 73d5a739cff930b6->3b437ff8e8291d0b: phase 1 R ident:
(sa: doi=ipsec situation=identity
(p: #1 protoid=isakmp transform=1
(t: #0 id=ike (type=enc value=aes)(type=keylen value=0080)(type=group desc value=modp1024)(type=hash value=sha1)(type=lifetype value=sec)(type=lifeduration len=4 value=00007080)(type=auth value=preshared))))
(vid: len=16 882fe56d6fd20dbc2251613b2ebe5beb)
(vid: len=8 09002689dfd6b712)
(vid: len=16 afcad71368a1f1c96b8696fc77570100)
(vid: len=16 4a131c81070358455c5728f20e95452f)
04:22:18.704975 f0:b2:e5:81:12:65 > 1e:00:f6:00:00:0f, ethertype IPv4 (0x0800), length 270: (tos 0xc0, ttl 62, id 22959, offset 0, flags [none], proto UDP (17), length 256)
10.102.196.249.500 > 10.147.30.119.500: [udp sum ok] isakmp 1.0 msgid 00000000 cookie 73d5a739cff930b6->3b437ff8e8291d0b: phase 1 I ident:
(ke: key len=128 41d168b0f9adb58e26605c19998b20c9b9299fc59c8b0c0bee78790a2802c3a013714d7963d3e49f4affc613f79d70a1fc2be6e1d061e79e1184299906ec77b1c940edecab136bc31d0c1d06b85752c679f001d4c87340e5f50da88ed07bdac1bfa4677d9ae308626fcfd91f3ca991da13f740d3e900b2599b7b15b3ea65c229)
(nonce: n len=16 f9ed15f833e970624e62fff20ffb6f1c)
(pay20)
(pay20)
04:22:18.708052 1e:00:f6:00:00:0f > f0:b2:e5:81:12:65, ethertype IPv4 (0x0800), length 270: (tos 0x0, ttl 64, id 48689, offset 0, flags [DF], proto UDP (17), length 256)
10.147.30.119.500 > 10.102.196.249.500: [bad udp cksum 0xf966 -> 0x6b41!] isakmp 1.0 msgid 00000000 cookie 73d5a739cff930b6->3b437ff8e8291d0b: phase 1 R ident:
(ke: key len=128 e4ea201711a2561dcd5cd3ebb7a79a6c67d79775f7a850b796137eccef8e4b371dcabcf8b11e64f71ddaf66c109ebe0fd30f3611d4453f1e06b2f8e861004f2d3618e50bd753267888dab69e571d97a8fd4f5b2c1cfef01b2b7dbd63f6bff3b8b71005a058e028024ed92bfcf15bf07d8bf53f0640dab922a4acad155f42669c)
(nonce: n len=16 3b19f5686aba936f952ffca5d6a92848)
(pay20)
(pay20)
04:22:18.728460 f0:b2:e5:81:12:65 > 1e:00:f6:00:00:0f, ethertype IPv4 (0x0800), length 134: (tos 0xc0, ttl 62, id 22960, offset 0, flags [none], proto UDP (17), length 120)
10.102.196.249.500 > 10.147.30.119.500: [udp sum ok] isakmp 1.0 msgid 00000000 cookie 73d5a739cff930b6->3b437ff8e8291d0b: phase 1 I ident[E]: [encrypted id]
04:22:18.728988 1e:00:f6:00:00:0f > f0:b2:e5:81:12:65, ethertype IPv4 (0x0800), length 118: (tos 0x0, ttl 64, id 48690, offset 0, flags [DF], proto UDP (17), length 104)
10.147.30.119.500 > 10.102.196.249.500: [bad udp cksum 0xf8ce -> 0xcd3a!] isakmp 1.0 msgid 00000000 cookie 73d5a739cff930b6->3b437ff8e8291d0b: phase 1 R ident[E]: [encrypted id]
04:22:18.757571 f0:b2:e5:81:12:65 > 1e:00:f6:00:00:0f, ethertype IPv4 (0x0800), length 342: (tos 0xc0, ttl 62, id 22961, offset 0, flags [none], proto UDP (17), length 328)
10.102.196.249.500 > 10.147.30.119.500: [udp sum ok] isakmp 1.0 msgid 99c7ea8b cookie 73d5a739cff930b6->3b437ff8e8291d0b: phase 2/others I oakley-quick[E]: [encrypted hash]
04:22:18.760705 1e:00:f6:00:00:0f > f0:b2:e5:81:12:65, ethertype IPv4 (0x0800), length 342: (tos 0x0, ttl 64, id 48692, offset 0, flags [DF], proto UDP (17), length 328)
10.147.30.119.500 > 10.102.196.249.500: [bad udp cksum 0xf9ae -> 0x4a14!] isakmp 1.0 msgid 99c7ea8b cookie 73d5a739cff930b6->3b437ff8e8291d0b: phase 2/others R oakley-quick[E]: [encrypted hash]
04:22:18.823463 f0:b2:e5:81:12:65 > 1e:00:f6:00:00:0f, ethertype IPv4 (0x0800), length 102: (tos 0xc0, ttl 62, id 22962, offset 0, flags [none], proto UDP (17), length 88)
10.102.196.249.500 > 10.147.30.119.500: [udp sum ok] isakmp 1.0 msgid 99c7ea8b cookie 73d5a739cff930b6->3b437ff8e8291d0b: phase 2/others I oakley-quick[E]: [encrypted hash]
root@r-242-VM:/etc/ipsec.d# ip -s xfrm state
src 10.147.30.119 dst 10.102.196.249
proto esp spi 0xac6fbc7e(2893003902) reqid 16420(0x00004024) mode tunnel
replay-window 32 seq 0x00000000 flag af-unspec (0x00100000)
auth-trunc hmac(sha1) 0x113f7f0dfd3391b09d4cebe1828eec4d0f87b21e (160 bits) 96
enc cbc(aes) 0xd6c90b451f66ceac528c5e48031de357 (128 bits)
lifetime config:
limit: soft (INF)(bytes), hard (INF)(bytes)
limit: soft (INF)(packets), hard (INF)(packets)
expire add: soft 0(sec), hard 0(sec)
expire use: soft 0(sec), hard 0(sec)
lifetime current:
0(bytes), 0(packets)
add 2017-05-03 04:22:18 use -
stats:
replay-window 0 replay 0 failed 0
src 10.102.196.249 dst 10.147.30.119
proto esp spi 0xc0273ad7(3223796439) reqid 16420(0x00004024) mode tunnel
replay-window 32 seq 0x00000000 flag af-unspec (0x00100000)
auth-trunc hmac(sha1) 0xf8498d08e047a042a4e3bbf4b4bd44107fe43d6a (160 bits) 96
enc cbc(aes) 0x127971e3e8b3901fc34301711ab8960b (128 bits)
lifetime config:
limit: soft (INF)(bytes), hard (INF)(bytes)
limit: soft (INF)(packets), hard (INF)(packets)
expire add: soft 0(sec), hard 0(sec)
expire use: soft 0(sec), hard 0(sec)
lifetime current:
0(bytes), 0(packets)
add 2017-05-03 04:22:18 use -
stats:
replay-window 0 replay 0 failed 0
root@r-242-VM:/etc/ipsec.d#
root@r-242-VM:/etc/ipsec.d# ip -s xfrm policy
src 10.0.0.0/8 dst 192.168.2.0/24 uid 0
dir out action allow index 1417 priority 1923 ptype main share any flag (0x00000000)
lifetime config:
limit: soft (INF)(bytes), hard (INF)(bytes)
limit: soft (INF)(packets), hard (INF)(packets)
expire add: soft 0(sec), hard 0(sec)
expire use: soft 0(sec), hard 0(sec)
lifetime current:
0(bytes), 0(packets)
add 2017-05-03 04:22:18 use -
tmpl src 10.147.30.119 dst 10.102.196.249
proto esp spi 0x00000000(0) reqid 16420(0x00004024) mode tunnel
level required share any
enc-mask ffffffff auth-mask ffffffff comp-mask ffffffff
src 192.168.2.0/24 dst 10.0.0.0/8 uid 0
dir fwd action allow index 1410 priority 1923 ptype main share any flag (0x00000000)
lifetime config:
limit: soft (INF)(bytes), hard (INF)(bytes)
limit: soft (INF)(packets), hard (INF)(packets)
expire add: soft 0(sec), hard 0(sec)
expire use: soft 0(sec), hard 0(sec)
lifetime current:
0(bytes), 0(packets)
add 2017-05-03 04:22:18 use -
tmpl src 10.102.196.249 dst 10.147.30.119
proto esp spi 0x00000000(0) reqid 16420(0x00004024) mode tunnel
level required share any
enc-mask ffffffff auth-mask ffffffff comp-mask ffffffff
src 192.168.2.0/24 dst 10.0.0.0/8 uid 0
dir in action allow index 1400 priority 1923 ptype main share any flag (0x00000000)
lifetime config:
limit: soft (INF)(bytes), hard (INF)(bytes)
limit: soft (INF)(packets), hard (INF)(packets)
expire add: soft 0(sec), hard 0(sec)
expire use: soft 0(sec), hard 0(sec)
lifetime current:
0(bytes), 0(packets)
add 2017-05-03 04:22:18 use -
tmpl src 10.102.196.249 dst 10.147.30.119
proto esp spi 0x00000000(0) reqid 16420(0x00004024) mode tunnel
level required share any
enc-mask ffffffff auth-mask ffffffff comp-mask ffffffff
src 0.0.0.0/0 dst 0.0.0.0/0 uid 0
socket out action allow index 692 priority 0 ptype main share any flag (0x00000000)
lifetime config:
limit: soft (INF)(bytes), hard (INF)(bytes)
limit: soft (INF)(packets), hard (INF)(packets)
expire add: soft 0(sec), hard 0(sec)
expire use: soft 0(sec), hard 0(sec)
lifetime current:
0(bytes), 0(packets)
add 2017-05-02 12:17:40 use -
src 0.0.0.0/0 dst 0.0.0.0/0 uid 0
socket in action allow index 683 priority 0 ptype main share any flag (0x00000000)
lifetime config:
limit: soft (INF)(bytes), hard (INF)(bytes)
limit: soft (INF)(packets), hard (INF)(packets)
expire add: soft 0(sec), hard 0(sec)
expire use: soft 0(sec), hard 0(sec)
lifetime current:
0(bytes), 0(packets)
add 2017-05-02 12:17:40 use -
src 0.0.0.0/0 dst 0.0.0.0/0 uid 0
socket out action allow index 676 priority 0 ptype main share any flag (0x00000000)
lifetime config:
limit: soft (INF)(bytes), hard (INF)(bytes)
limit: soft (INF)(packets), hard (INF)(packets)
expire add: soft 0(sec), hard 0(sec)
expire use: soft 0(sec), hard 0(sec)
lifetime current:
0(bytes), 0(packets)
add 2017-05-02 12:17:40 use -
src 0.0.0.0/0 dst 0.0.0.0/0 uid 0
socket in action allow index 667 priority 0 ptype main share any flag (0x00000000)
lifetime config:
limit: soft (INF)(bytes), hard (INF)(bytes)
limit: soft (INF)(packets), hard (INF)(packets)
expire add: soft 0(sec), hard 0(sec)
expire use: soft 0(sec), hard 0(sec)
lifetime current:
0(bytes), 0(packets)
add 2017-05-02 12:17:40 use -
src 0.0.0.0/0 dst 0.0.0.0/0 uid 0
socket out action allow index 660 priority 0 ptype main share any flag (0x00000000)
lifetime config:
limit: soft (INF)(bytes), hard (INF)(bytes)
limit: soft (INF)(packets), hard (INF)(packets)
expire add: soft 0(sec), hard 0(sec)
expire use: soft 0(sec), hard 0(sec)
lifetime current:
0(bytes), 0(packets)
add 2017-05-02 12:17:40 use -
src 0.0.0.0/0 dst 0.0.0.0/0 uid 0
socket in action allow index 651 priority 0 ptype main share any flag (0x00000000)
lifetime config:
limit: soft (INF)(bytes), hard (INF)(bytes)
limit: soft (INF)(packets), hard (INF)(packets)
expire add: soft 0(sec), hard 0(sec)
expire use: soft 0(sec), hard 0(sec)
lifetime current:
0(bytes), 0(packets)
add 2017-05-02 12:17:40 use -
src 0.0.0.0/0 dst 0.0.0.0/0 uid 0
socket out action allow index 644 priority 0 ptype main share any flag (0x00000000)
lifetime config:
limit: soft (INF)(bytes), hard (INF)(bytes)
limit: soft (INF)(packets), hard (INF)(packets)
expire add: soft 0(sec), hard 0(sec)
expire use: soft 0(sec), hard 0(sec)
lifetime current:
0(bytes), 0(packets)
add 2017-05-02 12:17:40 use -
src 0.0.0.0/0 dst 0.0.0.0/0 uid 0
socket in action allow index 635 priority 0 ptype main share any flag (0x00000000)
lifetime config:
limit: soft (INF)(bytes), hard (INF)(bytes)
limit: soft (INF)(packets), hard (INF)(packets)
expire add: soft 0(sec), hard 0(sec)
expire use: soft 0(sec), hard 0(sec)
lifetime current:
0(bytes), 0(packets)
add 2017-05-02 12:17:40 use -
src 0.0.0.0/0 dst 0.0.0.0/0 uid 0
socket out action allow index 628 priority 0 ptype main share any flag (0x00000000)
lifetime config:
limit: soft (INF)(bytes), hard (INF)(bytes)
limit: soft (INF)(packets), hard (INF)(packets)
expire add: soft 0(sec), hard 0(sec)
expire use: soft 0(sec), hard 0(sec)
lifetime current:
0(bytes), 0(packets)
add 2017-05-02 12:17:40 use -
src 0.0.0.0/0 dst 0.0.0.0/0 uid 0
socket in action allow index 619 priority 0 ptype main share any flag (0x00000000)
lifetime config:
limit: soft (INF)(bytes), hard (INF)(bytes)
limit: soft (INF)(packets), hard (INF)(packets)
expire add: soft 0(sec), hard 0(sec)
expire use: soft 0(sec), hard 0(sec)
lifetime current:
0(bytes), 0(packets)
add 2017-05-02 12:17:40 use -
src 0.0.0.0/0 dst 0.0.0.0/0 uid 0
socket out action allow index 612 priority 0 ptype main share any flag (0x00000000)
lifetime config:
limit: soft (INF)(bytes), hard (INF)(bytes)
limit: soft (INF)(packets), hard (INF)(packets)
expire add: soft 0(sec), hard 0(sec)
expire use: soft 0(sec), hard 0(sec)
lifetime current:
0(bytes), 0(packets)
add 2017-05-02 12:17:40 use 2017-05-03 04:22:18
src 0.0.0.0/0 dst 0.0.0.0/0 uid 0
socket in action allow index 603 priority 0 ptype main share any flag (0x00000000)
lifetime config:
limit: soft (INF)(bytes), hard (INF)(bytes)
limit: soft (INF)(packets), hard (INF)(packets)
expire add: soft 0(sec), hard 0(sec)
expire use: soft 0(sec), hard 0(sec)
lifetime current:
0(bytes), 0(packets)
add 2017-05-02 12:17:40 use 2017-05-03 04:22:18
src 0.0.0.0/0 dst 0.0.0.0/0 uid 0
socket out action allow index 596 priority 0 ptype main share any flag (0x00000000)
lifetime config:
limit: soft (INF)(bytes), hard (INF)(bytes)
limit: soft (INF)(packets), hard (INF)(packets)
expire add: soft 0(sec), hard 0(sec)
expire use: soft 0(sec), hard 0(sec)
lifetime current:
0(bytes), 0(packets)
add 2017-05-02 12:17:40 use -
src 0.0.0.0/0 dst 0.0.0.0/0 uid 0
socket in action allow index 587 priority 0 ptype main share any flag (0x00000000)
lifetime config:
limit: soft (INF)(bytes), hard (INF)(bytes)
limit: soft (INF)(packets), hard (INF)(packets)
expire add: soft 0(sec), hard 0(sec)
expire use: soft 0(sec), hard 0(sec)
lifetime current:
0(bytes), 0(packets)
add 2017-05-02 12:17:40 use -
src 0.0.0.0/0 dst 0.0.0.0/0 uid 0
socket out action allow index 580 priority 0 ptype main share any flag (0x00000000)
lifetime config:
limit: soft (INF)(bytes), hard (INF)(bytes)
limit: soft (INF)(packets), hard (INF)(packets)
expire add: soft 0(sec), hard 0(sec)
expire use: soft 0(sec), hard 0(sec)
lifetime current:
0(bytes), 0(packets)
add 2017-05-02 12:17:40 use -
src 0.0.0.0/0 dst 0.0.0.0/0 uid 0
socket in action allow index 571 priority 0 ptype main share any flag (0x00000000)
lifetime config:
limit: soft (INF)(bytes), hard (INF)(bytes)
limit: soft (INF)(packets), hard (INF)(packets)
expire add: soft 0(sec), hard 0(sec)
expire use: soft 0(sec), hard 0(sec)
lifetime current:
0(bytes), 0(packets)
add 2017-05-02 12:17:40 use -
src 0.0.0.0/0 dst 0.0.0.0/0 uid 0
socket out action allow index 564 priority 0 ptype main share any flag (0x00000000)
lifetime config:
limit: soft (INF)(bytes), hard (INF)(bytes)
limit: soft (INF)(packets), hard (INF)(packets)
expire add: soft 0(sec), hard 0(sec)
expire use: soft 0(sec), hard 0(sec)
lifetime current:
0(bytes), 0(packets)
add 2017-05-02 12:17:40 use -
src 0.0.0.0/0 dst 0.0.0.0/0 uid 0
socket in action allow index 555 priority 0 ptype main share any flag (0x00000000)
lifetime config:
limit: soft (INF)(bytes), hard (INF)(bytes)
limit: soft (INF)(packets), hard (INF)(packets)
expire add: soft 0(sec), hard 0(sec)
expire use: soft 0(sec), hard 0(sec)
lifetime current:
0(bytes), 0(packets)
add 2017-05-02 12:17:40 use -
src 0.0.0.0/0 dst 0.0.0.0/0 uid 0
socket out action allow index 548 priority 0 ptype main share any flag (0x00000000)
lifetime config:
limit: soft (INF)(bytes), hard (INF)(bytes)
limit: soft (INF)(packets), hard (INF)(packets)
expire add: soft 0(sec), hard 0(sec)
expire use: soft 0(sec), hard 0(sec)
lifetime current:
0(bytes), 0(packets)
add 2017-05-02 12:17:40 use -
src 0.0.0.0/0 dst 0.0.0.0/0 uid 0
socket in action allow index 539 priority 0 ptype main share any flag (0x00000000)
lifetime config:
limit: soft (INF)(bytes), hard (INF)(bytes)
limit: soft (INF)(packets), hard (INF)(packets)
expire add: soft 0(sec), hard 0(sec)
expire use: soft 0(sec), hard 0(sec)
lifetime current:
0(bytes), 0(packets)
add 2017-05-02 12:17:40 use -
src 0.0.0.0/0 dst 0.0.0.0/0 uid 0
socket out action allow index 532 priority 0 ptype main share any flag (0x00000000)
lifetime config:
limit: soft (INF)(bytes), hard (INF)(bytes)
limit: soft (INF)(packets), hard (INF)(packets)
expire add: soft 0(sec), hard 0(sec)
expire use: soft 0(sec), hard 0(sec)
lifetime current:
0(bytes), 0(packets)
add 2017-05-02 12:17:40 use -
src 0.0.0.0/0 dst 0.0.0.0/0 uid 0
socket in action allow index 523 priority 0 ptype main share any flag (0x00000000)
lifetime config:
limit: soft (INF)(bytes), hard (INF)(bytes)
limit: soft (INF)(packets), hard (INF)(packets)
expire add: soft 0(sec), hard 0(sec)
expire use: soft 0(sec), hard 0(sec)
lifetime current:
0(bytes), 0(packets)
add 2017-05-02 12:17:40 use -
src 0.0.0.0/0 dst 0.0.0.0/0 uid 0
socket out action allow index 516 priority 0 ptype main share any flag (0x00000000)
lifetime config:
limit: soft (INF)(bytes), hard (INF)(bytes)
limit: soft (INF)(packets), hard (INF)(packets)
expire add: soft 0(sec), hard 0(sec)
expire use: soft 0(sec), hard 0(sec)
lifetime current:
0(bytes), 0(packets)
add 2017-05-02 12:17:40 use -
src 0.0.0.0/0 dst 0.0.0.0/0 uid 0
socket in action allow index 507 priority 0 ptype main share any flag (0x00000000)
lifetime config:
limit: soft (INF)(bytes), hard (INF)(bytes)
limit: soft (INF)(packets), hard (INF)(packets)
expire add: soft 0(sec), hard 0(sec)
expire use: soft 0(sec), hard 0(sec)
lifetime current:
0(bytes), 0(packets)
add 2017-05-02 12:17:40 use -
src ::/0 dst ::/0 uid 0
socket in action allow index 499 priority 0 ptype main share any flag (0x00000000)
lifetime config:
limit: soft 0(bytes), hard 0(bytes)
limit: soft 0(packets), hard 0(packets)
expire add: soft 0(sec), hard 0(sec)
expire use: soft 0(sec), hard 0(sec)
lifetime current:
0(bytes), 0(packets)
add 2017-05-02 12:17:40 use -
src ::/0 dst ::/0 uid 0
socket out action allow index 492 priority 0 ptype main share any flag (0x00000000)
lifetime config:
limit: soft 0(bytes), hard 0(bytes)
limit: soft 0(packets), hard 0(packets)
expire add: soft 0(sec), hard 0(sec)
expire use: soft 0(sec), hard 0(sec)
lifetime current:
0(bytes), 0(packets)
add 2017-05-02 12:17:40 use -
src ::/0 dst ::/0 uid 0
socket in action allow index 483 priority 0 ptype main share any flag (0x00000000)
lifetime config:
limit: soft 0(bytes), hard 0(bytes)
limit: soft 0(packets), hard 0(packets)
expire add: soft 0(sec), hard 0(sec)
expire use: soft 0(sec), hard 0(sec)
lifetime current:
0(bytes), 0(packets)
add 2017-05-02 12:17:40 use -
src ::/0 dst ::/0 uid 0
socket out action allow index 476 priority 0 ptype main share any flag (0x00000000)
lifetime config:
limit: soft 0(bytes), hard 0(bytes)
limit: soft 0(packets), hard 0(packets)
expire add: soft 0(sec), hard 0(sec)
expire use: soft 0(sec), hard 0(sec)
lifetime current:
0(bytes), 0(packets)
add 2017-05-02 12:17:40 use -
src ::/0 dst ::/0 uid 0
socket in action allow index 467 priority 0 ptype main share any flag (0x00000000)
lifetime config:
limit: soft 0(bytes), hard 0(bytes)
limit: soft 0(packets), hard 0(packets)
expire add: soft 0(sec), hard 0(sec)
expire use: soft 0(sec), hard 0(sec)
lifetime current:
0(bytes), 0(packets)
add 2017-05-02 12:17:40 use -
src ::/0 dst ::/0 uid 0
socket out action allow index 460 priority 0 ptype main share any flag (0x00000000)
lifetime config:
limit: soft 0(bytes), hard 0(bytes)
limit: soft 0(packets), hard 0(packets)
expire add: soft 0(sec), hard 0(sec)
expire use: soft 0(sec), hard 0(sec)
lifetime current:
0(bytes), 0(packets)
add 2017-05-02 12:17:40 use -
src 0.0.0.0/0 dst 0.0.0.0/0 uid 0
socket in action allow index 451 priority 0 ptype main share any flag (0x00000000)
lifetime config:
limit: soft 0(bytes), hard 0(bytes)
limit: soft 0(packets), hard 0(packets)
expire add: soft 0(sec), hard 0(sec)
expire use: soft 0(sec), hard 0(sec)
lifetime current:
0(bytes), 0(packets)
add 2017-05-02 12:17:40 use -
src 0.0.0.0/0 dst 0.0.0.0/0 uid 0
socket out action allow index 444 priority 0 ptype main share any flag (0x00000000)
lifetime config:
limit: soft 0(bytes), hard 0(bytes)
limit: soft 0(packets), hard 0(packets)
expire add: soft 0(sec), hard 0(sec)
expire use: soft 0(sec), hard 0(sec)
lifetime current:
0(bytes), 0(packets)
add 2017-05-02 12:17:40 use -
src 0.0.0.0/0 dst 0.0.0.0/0 uid 0
socket in action allow index 435 priority 0 ptype main share any flag (0x00000000)
lifetime config:
limit: soft 0(bytes), hard 0(bytes)
limit: soft 0(packets), hard 0(packets)
expire add: soft 0(sec), hard 0(sec)
expire use: soft 0(sec), hard 0(sec)
lifetime current:
0(bytes), 0(packets)
add 2017-05-02 12:17:40 use -
src 0.0.0.0/0 dst 0.0.0.0/0 uid 0
socket out action allow index 428 priority 0 ptype main share any flag (0x00000000)
lifetime config:
limit: soft 0(bytes), hard 0(bytes)
limit: soft 0(packets), hard 0(packets)
expire add: soft 0(sec), hard 0(sec)
expire use: soft 0(sec), hard 0(sec)
lifetime current:
0(bytes), 0(packets)
add 2017-05-02 12:17:40 use 2017-05-02 13:47:57
src 0.0.0.0/0 dst 0.0.0.0/0 uid 0
socket in action allow index 419 priority 0 ptype main share any flag (0x00000000)
lifetime config:
limit: soft 0(bytes), hard 0(bytes)
limit: soft 0(packets), hard 0(packets)
expire add: soft 0(sec), hard 0(sec)
expire use: soft 0(sec), hard 0(sec)
lifetime current:
0(bytes), 0(packets)
add 2017-05-02 12:17:40 use 2017-05-03 04:22:18
src 0.0.0.0/0 dst 0.0.0.0/0 uid 0
socket out action allow index 412 priority 0 ptype main share any flag (0x00000000)
lifetime config:
limit: soft 0(bytes), hard 0(bytes)
limit: soft 0(packets), hard 0(packets)
expire add: soft 0(sec), hard 0(sec)
expire use: soft 0(sec), hard 0(sec)
lifetime current:
0(bytes), 0(packets)
add 2017-05-02 12:17:40 use -
root@r-242-VM:/etc/ipsec.d#
No comments:
Post a Comment